support for hash and URL encoded certificate payloads in charon
[strongswan.git] / src / charon / plugins / stroke / stroke_ca.c
1 /*
2 * Copyright (C) 2008 Tobias Brunner
3 * Copyright (C) 2008 Martin Willi
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 *
16 * $Id$
17 */
18
19 #include "stroke_ca.h"
20 #include "stroke_cred.h"
21
22 #include <utils/mutex.h>
23 #include <utils/linked_list.h>
24 #include <crypto/hashers/hasher.h>
25
26 #include <daemon.h>
27
28 typedef struct private_stroke_ca_t private_stroke_ca_t;
29
30 /**
31 * private data of stroke_ca
32 */
33 struct private_stroke_ca_t {
34
35 /**
36 * public functions
37 */
38 stroke_ca_t public;
39
40 /**
41 * mutex to lock access to list
42 */
43 mutex_t *mutex;
44
45 /**
46 * list of starters CA sections and its certificates (ca_section_t)
47 */
48 linked_list_t *sections;
49
50 /**
51 * stroke credentials, stores our CA certificates
52 */
53 stroke_cred_t *cred;
54 };
55
56 typedef struct ca_section_t ca_section_t;
57
58 /**
59 * loaded ipsec.conf CA sections
60 */
61 struct ca_section_t {
62
63 /**
64 * name of the CA section
65 */
66 char *name;
67
68 /**
69 * reference to cert in trusted_credential_t
70 */
71 certificate_t *cert;
72
73 /**
74 * CRL URIs
75 */
76 linked_list_t *crl;
77
78 /**
79 * OCSP URIs
80 */
81 linked_list_t *ocsp;
82
83 /**
84 * Hashes of certificates issued by this CA
85 */
86 linked_list_t *hashes;
87
88 /**
89 * Base URI used for certificates from this CA
90 */
91 char *certuribase;
92 };
93
94 /**
95 * create a new CA section
96 */
97 static ca_section_t *ca_section_create(char *name, certificate_t *cert)
98 {
99 ca_section_t *ca = malloc_thing(ca_section_t);
100
101 ca->name = strdup(name);
102 ca->crl = linked_list_create();
103 ca->ocsp = linked_list_create();
104 ca->cert = cert;
105 ca->hashes = linked_list_create();
106 ca->certuribase = NULL;
107 return ca;
108 }
109
110 /**
111 * destroy a ca section entry
112 */
113 static void ca_section_destroy(ca_section_t *this)
114 {
115 this->crl->destroy_function(this->crl, free);
116 this->ocsp->destroy_function(this->ocsp, free);
117 this->hashes->destroy_offset(this->hashes, offsetof(identification_t, destroy));
118 free(this->certuribase);
119 free(this->name);
120 free(this);
121 }
122
123 /**
124 * data to pass to create_inner_cdp
125 */
126 typedef struct {
127 private_stroke_ca_t *this;
128 certificate_type_t type;
129 identification_t *id;
130 } cdp_data_t;
131
132 /**
133 * destroy cdp enumerator data and unlock list
134 */
135 static void cdp_data_destroy(cdp_data_t *data)
136 {
137 data->this->mutex->unlock(data->this->mutex);
138 free(data);
139 }
140
141 /**
142 * inner enumerator constructor for CDP URIs
143 */
144 static enumerator_t *create_inner_cdp(ca_section_t *section, cdp_data_t *data)
145 {
146 public_key_t *public;
147 identification_t *keyid;
148 enumerator_t *enumerator = NULL;
149 linked_list_t *list;
150
151 if (data->type == CERT_X509_OCSP_RESPONSE)
152 {
153 list = section->ocsp;
154 }
155 else
156 {
157 list = section->crl;
158 }
159
160 public = section->cert->get_public_key(section->cert);
161 if (public)
162 {
163 if (!data->id)
164 {
165 enumerator = list->create_enumerator(list);
166 }
167 else
168 {
169 keyid = public->get_id(public, data->id->get_type(data->id));
170 if (keyid && keyid->matches(keyid, data->id))
171 {
172 enumerator = list->create_enumerator(list);
173 }
174 }
175 public->destroy(public);
176 }
177 return enumerator;
178 }
179
180 /**
181 * inner enumerator constructor for hash and URL
182 */
183 static enumerator_t *create_inner_cdp_hashandurl(ca_section_t *section, cdp_data_t *data)
184 {
185 enumerator_t *enumerator = NULL, *hash_enum;
186 identification_t *current;
187
188 if (!data->id || !section->certuribase)
189 {
190 return NULL;
191 }
192
193 hash_enum = section->hashes->create_enumerator(section->hashes);
194 while (hash_enum->enumerate(hash_enum, &current))
195 {
196 if (current->matches(current, data->id))
197 {
198 chunk_t hash = current->get_encoding(current);
199 char *hash_str = chunk_to_hex(hash, FALSE);
200 char *url = malloc(strlen(section->certuribase) + 40 + 1);
201 strcpy(url, section->certuribase);
202 strncat(url, hash_str, 40);
203 free(hash_str);
204
205 enumerator = enumerator_create_single(url, free);
206 break;
207 }
208 }
209 hash_enum->destroy(hash_enum);
210 return enumerator;
211 }
212
213 /**
214 * Implementation of credential_set_t.create_cdp_enumerator.
215 */
216 static enumerator_t *create_cdp_enumerator(private_stroke_ca_t *this,
217 certificate_type_t type, identification_t *id)
218 {
219 cdp_data_t *data;
220
221 switch (type)
222 { /* we serve CRLs, OCSP responders and URLs for hash and URL */
223 case CERT_X509:
224 case CERT_X509_CRL:
225 case CERT_X509_OCSP_RESPONSE:
226 case CERT_ANY:
227 break;
228 default:
229 return NULL;
230 }
231 data = malloc_thing(cdp_data_t);
232 data->this = this;
233 data->type = type;
234 data->id = id;
235
236 this->mutex->lock(this->mutex);
237 return enumerator_create_nested(this->sections->create_enumerator(this->sections),
238 (type == CERT_X509) ? (void*)create_inner_cdp_hashandurl : (void*)create_inner_cdp,
239 data, (void*)cdp_data_destroy);
240 }
241 /**
242 * Implementation of stroke_ca_t.add.
243 */
244 static void add(private_stroke_ca_t *this, stroke_msg_t *msg)
245 {
246 certificate_t *cert;
247 ca_section_t *ca;
248
249 if (msg->add_ca.cacert == NULL)
250 {
251 DBG1(DBG_CFG, "missing cacert parameter");
252 return;
253 }
254 cert = this->cred->load_ca(this->cred, msg->add_ca.cacert);
255 if (cert)
256 {
257 ca = ca_section_create(msg->add_ca.name, cert);
258 if (msg->add_ca.crluri)
259 {
260 ca->crl->insert_last(ca->crl, strdup(msg->add_ca.crluri));
261 }
262 if (msg->add_ca.crluri2)
263 {
264 ca->crl->insert_last(ca->crl, strdup(msg->add_ca.crluri2));
265 }
266 if (msg->add_ca.ocspuri)
267 {
268 ca->ocsp->insert_last(ca->ocsp, strdup(msg->add_ca.ocspuri));
269 }
270 if (msg->add_ca.ocspuri2)
271 {
272 ca->ocsp->insert_last(ca->ocsp, strdup(msg->add_ca.ocspuri2));
273 }
274 if (msg->add_ca.certuribase)
275 {
276 ca->certuribase = strdup(msg->add_ca.certuribase);
277 }
278 this->mutex->lock(this->mutex);
279 this->sections->insert_last(this->sections, ca);
280 this->mutex->unlock(this->mutex);
281 DBG1(DBG_CFG, "added ca '%s'", msg->add_ca.name);
282 }
283 }
284
285 /**
286 * Implementation of stroke_ca_t.del.
287 */
288 static void del(private_stroke_ca_t *this, stroke_msg_t *msg)
289 {
290 enumerator_t *enumerator;
291 ca_section_t *ca = NULL;
292
293 this->mutex->lock(this->mutex);
294 enumerator = this->sections->create_enumerator(this->sections);
295 while (enumerator->enumerate(enumerator, &ca))
296 {
297 if (streq(ca->name, msg->del_ca.name))
298 {
299 this->sections->remove_at(this->sections, enumerator);
300 break;
301 }
302 ca = NULL;
303 }
304 enumerator->destroy(enumerator);
305 this->mutex->unlock(this->mutex);
306 if (ca == NULL)
307 {
308 DBG1(DBG_CFG, "no ca named '%s' found\n", msg->del_ca.name);
309 return;
310 }
311 ca_section_destroy(ca);
312 /* TODO: flush cached certs */
313 }
314
315 /**
316 * list crl or ocsp URIs
317 */
318 static void list_uris(linked_list_t *list, char *label, FILE *out)
319 {
320 bool first = TRUE;
321 char *uri;
322 enumerator_t *enumerator;
323
324 enumerator = list->create_enumerator(list);
325 while (enumerator->enumerate(enumerator, (void**)&uri))
326 {
327 if (first)
328 {
329 fprintf(out, label);
330 first = FALSE;
331 }
332 else
333 {
334 fprintf(out, " ");
335 }
336 fprintf(out, "'%s'\n", uri);
337 }
338 enumerator->destroy(enumerator);
339 }
340
341 /**
342 * Implementation of stroke_ca_t.check_for_hash_and_url.
343 */
344 static void check_for_hash_and_url(private_stroke_ca_t *this, certificate_t* cert)
345 {
346 ca_section_t *section;
347 enumerator_t *enumerator;
348
349 hasher_t *hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
350 if (hasher == NULL)
351 {
352 DBG1(DBG_IKE, "unable to use hash and URL, SHA1 not supported");
353 return;
354 }
355
356 this->mutex->lock(this->mutex);
357 enumerator = this->sections->create_enumerator(this->sections);
358 while (enumerator->enumerate(enumerator, (void**)&section))
359 {
360 if (section->certuribase && cert->issued_by(cert, section->cert))
361 {
362 chunk_t hash, encoded = cert->get_encoding(cert);
363 hasher->allocate_hash(hasher, encoded, &hash);
364 section->hashes->insert_last(section->hashes,
365 identification_create_from_encoding(ID_CERT_DER_SHA1, hash));
366 chunk_free(&hash);
367 chunk_free(&encoded);
368 break;
369 }
370 }
371 enumerator->destroy(enumerator);
372 this->mutex->unlock(this->mutex);
373
374 hasher->destroy(hasher);
375 }
376
377 /**
378 * Implementation of stroke_ca_t.list.
379 */
380 static void list(private_stroke_ca_t *this, stroke_msg_t *msg, FILE *out)
381 {
382 bool first = TRUE;
383 ca_section_t *section;
384 enumerator_t *enumerator;
385
386 this->mutex->lock(this->mutex);
387 enumerator = this->sections->create_enumerator(this->sections);
388 while (enumerator->enumerate(enumerator, (void**)&section))
389 {
390 certificate_t *cert = section->cert;
391 public_key_t *public = cert->get_public_key(cert);
392
393 if (first)
394 {
395 fprintf(out, "\n");
396 fprintf(out, "List of CA Information Sections:\n");
397 first = FALSE;
398 }
399 fprintf(out, "\n");
400 fprintf(out, " authname: \"%D\"\n", cert->get_subject(cert));
401
402 /* list authkey and keyid */
403 if (public)
404 {
405 fprintf(out, " authkey: %D\n",
406 public->get_id(public, ID_PUBKEY_SHA1));
407 fprintf(out, " keyid: %D\n",
408 public->get_id(public, ID_PUBKEY_INFO_SHA1));
409 public->destroy(public);
410 }
411 list_uris(section->crl, " crluris: ", out);
412 list_uris(section->ocsp, " ocspuris: ", out);
413 fprintf(out, " certuribase: '%s'\n", section->certuribase);
414 }
415 enumerator->destroy(enumerator);
416 this->mutex->unlock(this->mutex);
417 }
418
419 /**
420 * Implementation of stroke_ca_t.destroy
421 */
422 static void destroy(private_stroke_ca_t *this)
423 {
424 this->sections->destroy_function(this->sections, (void*)ca_section_destroy);
425 this->mutex->destroy(this->mutex);
426 free(this);
427 }
428
429 /*
430 * see header file
431 */
432 stroke_ca_t *stroke_ca_create(stroke_cred_t *cred)
433 {
434 private_stroke_ca_t *this = malloc_thing(private_stroke_ca_t);
435
436 this->public.set.create_private_enumerator = (void*)return_null;
437 this->public.set.create_cert_enumerator = (void*)return_null;
438 this->public.set.create_shared_enumerator = (void*)return_null;
439 this->public.set.create_cdp_enumerator = (void*)create_cdp_enumerator;
440 this->public.set.cache_cert = (void*)nop;
441 this->public.add = (void(*)(stroke_ca_t*, stroke_msg_t *msg))add;
442 this->public.del = (void(*)(stroke_ca_t*, stroke_msg_t *msg))del;
443 this->public.list = (void(*)(stroke_ca_t*, stroke_msg_t *msg, FILE *out))list;
444 this->public.check_for_hash_and_url = (void(*)(stroke_ca_t*, certificate_t*))check_for_hash_and_url;
445 this->public.destroy = (void(*)(stroke_ca_t*))destroy;
446
447 this->sections = linked_list_create();
448 this->mutex = mutex_create(MUTEX_RECURSIVE);
449 this->cred = cred;
450
451 return &this->public;
452 }
453